Managing secure content in a content delivery network

ABSTRACT

A system, method, and computer readable medium for managing secure content by CDN service providers are provided. A network storage provider stores one or more resources on behalf of a content provider. A CDN service provider obtains client computing device requests for secure content. Based on processing first signature information, the CDN service provider determines whether the secure content is available to the client computing device. If the CDN service provider does not maintain the requested content, the CDN service provider transmits a request to the network storage provider. Based on second signature information and an identifier associated with the CDN service provider, the network storage provider processes the request based policy information associated with the identifier.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. application Ser. No. 12/722,454, now U.S. Pat. No. 8,397,073, entitled MANAGING SECURE CONTENT IN A CONTENT DELIVERY NETWORK, and filed Mar. 11, 2010, which in turn claims the benefit of U.S. Provisional Application No. 61/240,164, entitled DELIVERY OF SECURE CONTENT, and filed on Sep. 4, 2009, the disclosures of which are incorporated herein by reference.

BACKGROUND

Generally described, computing devices and communication networks can be utilized to exchange information. In a common application, a computing device can request content from another computing device via the communication network. For example, a user at a personal computing device can utilize a software browser application to request content, such as a Web page, from a server computing device via the Internet. In such embodiments, the user computing device can be referred to as a client computing device and the server computing device can be referred to as a content provider.

Content providers are generally motivated to provide requested content to client computing devices often with consideration of efficient transmission of the requested content to the client computing device and/or consideration of a cost associated with the transmission of the content. For larger scale implementations, a content provider may receive content requests from a high volume of client computing devices. Such higher volume requests can place a strain on the content provider's computing resources utilized to provide the requested content. Additionally, the content requested by the client computing devices may have a number of components, which can further place additional strain on the content provider's computing resources.

With reference to an illustrative example, a requested Web page, or original content, may be associated with a number of additional resources, such as images or videos, which are to be displayed with the Web page. In one specific embodiment, the additional resources of the Web page are identified by a number of embedded resource identifiers, such as uniform resource locators (“URLs”). In turn, software on the client computing devices typically processes embedded resource identifiers to generate requests for the content. Often, the resource identifiers associated with the embedded resources reference a computing device associated with the content provider such that the client computing device would transmit the request for the additional resources to the referenced content provider computing device. Accordingly, in order to satisfy a content request, the content provider(s) (or any service provider on behalf of the content provider(s)) would provide client computing devices data associated with the Web page and/or the data associated with the embedded resources.

Some content providers attempt to facilitate the delivery of requested content, such as Web pages and/or resources identified in Web pages, through the utilization of a network storage provider or a content delivery network (“CDN”) service provider. A network storage provider and a CDN server provider each typically maintain a number of computing devices in a communication network that can maintain content from various content providers. In turn, content providers can instruct, or otherwise suggest to, client computing devices to request some, or all, of the content provider's content from the network storage provider's or CDN service provider's computing devices.

As with content providers, network storage providers and CDN service providers are also generally motivated to provide requested content to client computing devices often with consideration of efficient transmission of the requested content to the client computing device and/or consideration of a cost associated with the transmission of the content. Accordingly, the service providers often consider factors such as latency of delivery of requested content in order to meet service level agreements or to generally improve the quality of delivery service.

With reference to the previous illustrative example, in some implementations, the content provider may desire to designate at least some of the additional resource embedded in the requested Web page as restricted content or to otherwise keep some portion of the content secure. In one approach, the content provider can utilize functionality included in the communication protocols, such as the Referer header associated with hypertext transfer protocol (“HTTP”), to restrict which clients can request content from a CDN service provider. However, such approaches are typically considered as a weak form of authentication and are prone to be spoofed. In another approach, the content provider can specify for the utilization of shared secret keys between the content provider and the CDN service provider or otherwise require the CDN service provider to authenticate all client requests for content with the content provider. However, such approaches typically require additional infrastructure and resources from the content provider and CDN service provider regarding authorization or verification protocols for each secure content request by a client.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing aspects and many of the attendant advantages of this invention will become more readily appreciated as the same become better understood by reference to the following detailed description, when taken in conjunction with the accompanying drawings, wherein:

FIG. 1 is a block diagram illustrative of content delivery environment including a number of client computing devices, content provider, a network storage provider, and a content delivery network service provider;

FIGS. 2A and 2B are block diagrams of the content delivery environment of FIG. 1 illustrating the registration of a content provider with a network storage provider and CDN service provider for facilitating the delivery of secure content;

FIG. 3 is a block diagram of the content delivery environment of FIG. 1 illustrating the generation and processing of a resource request by a client computing device to a content provider; and

FIGS. 4A-4C are block diagrams of the content delivery environment of FIG. 1 illustrating obtaining client computing device DNS queries and having the subsequent resource request processed by a CDN service provider.

DETAILED DESCRIPTION

Generally described, the present disclosure is directed to delivery of one or more resources associated with a content provider by selecting from available storage service providers and content delivery network (“CDN”) service providers. Specifically, aspects of the disclosure will be described with regard to the management of secure resource delivery by a service provider on behalf of a content provider. In one aspect, a content provider may associate different identities to the CDN service providers utilized to distribute requested resources on behalf of the content provider. The content provider, directly or indirectly, can associate content distribution policies in accordance with each CDN service provider identity. In another aspect, the client computing devices and CDN service providers can utilize secure content signatures in content requests without requiring validation of each signed content request by the content provider. Although various aspects of the disclosure will be described with regard to illustrative examples and embodiments, one skilled in the art will appreciate that the disclosed embodiments and examples should not be construed as limiting.

FIG. 1 is a block diagram illustrative of content delivery environment 100 for the managing registration of content with a CDN service provider and subsequent processing of content requests. As illustrated in FIG. 1, the content delivery environment 100 includes a number of client computing devices 102 (generally referred to as clients) for requesting content from a content provider, a network storage provider 110, and/or a CDN service provider 106. In an illustrative embodiment, the client computing devices 102 can correspond to a wide variety of computing devices including personal computing devices, laptop computing devices, hand-held computing devices, terminal computing devices, mobile devices, wireless devices, various electronic devices and appliances and the like. In an illustrative embodiment, the client computing devices 102 include necessary hardware and software components for establishing communications over a communication network 108, such as a wide area network or local area network. For example, the client computing devices 102 may be equipped with networking equipment and browser software applications that facilitate communications via the Internet or an intranet.

Although not illustrated in FIG. 1, each client computing device 102 utilizes some type of local DNS resolver component, such as a DNS nameserver, that generates the DNS queries attributed to the client computing device. In one embodiment, the local DNS resolver component may be provide by an enterprise network to which the client computing device 102 belongs. In another embodiment, the local DNS resolver component may be provided by an Internet Service Provider (ISP) that provides the communication network connection to the client computing device 102.

The content delivery environment 100 can also include a content provider 104 in communication with the one or more client computing devices 102 via the communication network 108. The content provider 104 illustrated in FIG. 1 corresponds to a logical association of one or more computing devices associated with a content provider. Specifically, the content provider 104 can include a web server component 112 corresponding to one or more server computing devices for obtaining and processing requests for content (such as Web pages) from the client computing devices 102. The content provider 104 can further include an origin server component 114 and associated storage component 116 corresponding to one or more computing devices for obtaining and processing requests for network resources. One skilled in the relevant art will appreciate that the content provider 104 can be associated with various additional computing resources, such additional computing devices for administration of content and resources, DNS nameservers, and the like. For example, as further illustrated in FIG. 1, the content provider 104 can be associated with one or more DNS nameserver components 118 that would receive DNS queries associated with the domain of the content provider 104 and be authoritative to resolve client computing device DNS queries corresponding to a domain of the content provider 104 (e.g., return an IP address responsive to the DNS query). A DNS nameserver component is considered to be authoritative to a DNS query if the DNS nameserver can completely resolve the query by providing a responsive IP address. Additionally, the content provider 104 may include multiple components or eliminate some components altogether, such as origin server 114.

With continued reference to FIG. 1, the content delivery environment 100 can further include a CDN service provider 106 in communication with the one or more client computing devices 102, the content provider 104, and the network storage provider 110 via the communication network 108. The CDN service provider 106 illustrated in FIG. 1 corresponds to a logical association of one or more computing devices associated with a CDN service provider. Specifically, the CDN service provider 106 can include a number of Point of Presence (“POP”) locations 120, 126, 132 that correspond to nodes on the communication network 108. Each POP 120, 126, 132 includes a DNS component 122, 128, 134 made up of a number of DNS nameserver computing devices for resolving DNS queries from the client computers 102. Each POP 120, 126, 132 also includes a resource cache component 124, 130, 136 made up of a number of cache server computing devices for storing resources from content providers or network storage providers and transmitting various requested resources to various client computers. The DNS components 122, 128, 134 and the resource cache components 124, 130, 136 may further include additional software and/or hardware components that facilitate communications including, but not limited, load balancing or load sharing software/hardware components.

In an illustrative embodiment, the DNS component 122, 128, 134 and resource cache component 124, 130, 136 are considered to be logically grouped, regardless of whether the components, or portions of the components, are physically separate. Additionally, although the POPs 120, 126, 132 are illustrated in FIG. 1 as logically associated with the CDN service provider 106, the POPs will be geographically distributed throughout the communication network 108 in a manner to best serve various demographics of client computing devices 102. Additionally, one skilled in the relevant art will appreciate that the CDN service provider 106 can be associated with various additional computing resources, such additional computing devices for administration of content and resources, and the like.

With further continued reference to FIG. 1, the content delivery environment 100 can also include a network storage provider 110 in communication with the one or more client computing devices 102, the CDN service provider 106, and the content provider 104 via the communication network 108. The network storage provider 110 illustrated in FIG. 1 also corresponds to a logical association of one or more computing devices associated with a network storage provider. Specifically, the network storage provider 110 can include a number of network storage provider Point of Presence (“NSP POP”) locations 138, 144, 150 that correspond to nodes on the communication network 108. Each NSP POP 138, 144, 150 can include a storage management (“SM”) component 140, 146, 152 for obtaining requests for resources from the client computing devices 102 and determining whether the requested resource should be provided by a CDN service provider 106 or from a storage component associated with the network storage provider 110. In an illustrative embodiment, the storage management components 138, 144, 150 can be associated with one or more DNS nameserver components that are operative to receive DNS queries related to registered domain names associated with the network storage provider 110. The one or more DNS nameservers can be authoritative to resolve client computing device DNS queries corresponding to the registered domain names of the network storage provider 110. As similarly set forth above, a DNS nameserver component is considered to be authoritative to a DNS query if the DNS nameserver can resolve the query by providing a responsive IP address.

Each NSP POP 138, 144, 150 also includes a storage component 142, 148, 154 made up of a number of storage devices for storing resources from content providers which will be processed by the network storage provider 110 and transmitted to various client computers. The storage components 142, 148, 154 may further include additional software and/or hardware components that facilitate communications including, but not limited to, load balancing or load sharing software/hardware components. In an illustrative embodiment, the storage components 142, 148, 154 are considered to be logically grouped, regardless of whether the components, or portions of the components, are physically separate.

Additionally, although the NSP POPs 138, 144, 150 are illustrated in FIG. 1 as logically associated with the network storage provider 110, the NSP POPs will be geographically distributed throughout the communication network 108 in a manner to best serve various demographics of client computing devices 102. Additionally, the network storage provider 110 can be associated with various additional computing resources, such additional computing devices for administration of content and resources, additional DNS nameservers, and the like. Even further, the components of the network storage provider 110 and components of the CDN service provider 106 can be managed by the same or different entities.

In an illustrative embodiment, the content delivery environment 100 can further include one or more secure information verification services 156. The secure information verification services 156 can be used in conjunction with a secured resource request, or secured content request, to verify security information provided by the client computing devices 102 or the CDN service provider 106. The secure information verification services 156 can be associated with one or more components of the content delivery environment 100. Alternatively, the secure information verification services 156 can be an independent, third party service utilized by other components in the content delivery environment 100.

One skilled in the relevant art will appreciate that the components and configurations provided in FIG. 1 are illustrative in nature. Accordingly, additional or alternative components and/or configurations, especially regarding the additional components, systems and subsystems for facilitating communications may be utilized.

With reference now to FIGS. 2-6, the interaction between various components of the content delivery environment 100 of FIG. 1 will be illustrated. For purposes of the example, however, the illustration has been simplified such that many of the components utilized to facilitate communications are not shown. One skilled in the relevant art will appreciate that such components can be utilized and that additional interactions would accordingly occur without departing from the spirit and scope of the present disclosure.

With reference to FIG. 2A, an illustrative interaction for registration of a content provider 104 with the CDN service provider 106 will be described. As illustrated in FIG. 2A, the CDN service provider content registration process begins with registration of the content provider 104 with the CDN service provider 106. In an illustrative embodiment, the content provider 104 utilizes a registration application program interface (“API”) to register with the CDN service provider 106 such that the CDN service provider 106 can managed content requests on behalf of the content provider 104. The registration API includes the identification of the origin server 114 of the content provider 104 that will provide requested resources to the CDN service provider 106 (either directly or via the network storage provider 110). In addition or alternatively, the registration API includes the content to be stored/managed by the CDN service provider 106 on behalf of the content provider 104.

Additionally, the registration API establishes the secured content information to be utilized by the CDN service provider 106 to manage requests by client computing devices 102. In one aspect, the secured content information can include signature information to be utilized by the CDN service provider 106 to verify secure content requests by clients. Alternatively, the secured content information can include information identifying one or more secure information verification services 156 utilized to verify secure content requests. In another aspect, the secured content information can include identity information utilized, such as an identifier, by the CDN service provider 106 to request information from an origin source, such as network storage provider 110. The identity information established for the CDN service provider 106 can be unique to individual CDN service providers or shared by two or more CDN server providers.

Based on the processing the registration API, the CDN service provider 106 can also confirm the registration API with the content provider 104. Additionally, the CDN service provider 106 can establish secure content information with network storage provider 110, which can include signature information to be utilized by the network storage provider 110 to verify secure content requests by the CDN service provider 106. The secure content information established between the CDN service provider 106 and the network storage provider 110 can be complimentary to any secure information provided by the content provider 104 or can replace any secure information provided by the content provider. Moreover, the secure content information established between the CDN service provider 106 and the network storage provider 110 can be different from any secure information associated with client computing devices 102

With reference to FIG. 2B, an illustrative interaction for registration of a content provider 104 with the network storage provider 110 will be described. As illustrated in FIG. 2B, the storage provider content registration process begins with registration of the content provider 104 with the network storage provider 110. In an illustrative embodiment, the content provider 104 utilizes a registration application program interface (“API”) to register with the network storage provider 110 such that the network storage provider 110 can provide content on behalf of the content provider 104. The registration API includes the identification of the origin server 114 of the content provider 104 that will provide requested resources to the network storage provider 110. In addition or alternatively, the registration API includes the content to be stored by the network storage provider 110 on behalf of the content provider 104. Additionally, the registration API with the network storage provider 110 can include the establishment of policies by the content provider 104 as to content requests by different identifiers associated with one or more CDN service providers 106. Still further, the content provider 104 can designate proxy authority to make, modify, or maintain policy information. The proxy authority can be provided to the CDN service providers 106 that maintain the policy information or to additional components of the content delivery environment 100.

One skilled in the relevant art will appreciate that upon storage of the content by the network storage provider 110, the content provider 104 can begin to direct requests for content from client computing devices 102 to the CDN service providers 106 or the CDN service providers to the network storage provider 110. Specifically, in accordance with DNS routing principles, a client computing device DNS request corresponding to a resource identifier would eventually be directed toward a storage component 140, 144, 148 of a NSP POP 138, 142, 146 associated with the network storage provider 110 (e.g., resolved to an IP address corresponding to a storage component).

In an illustrative embodiment, upon receiving the registration API, the network storage provider 110 obtains and processes the content provider registration information. In an illustrative embodiment, the network storage provider 110 can then generate additional information that will be used by the client computing devices 102 as part of the content requests. The additional information can include, without limitation, content provider identifiers, such as content provider identification codes, storage provider identifiers, such as storage provider identification codes, executable code for processing resource identifiers, such as script-based instructions, and the like. One skilled in the relevant art will appreciate that various types of additional information may be generated by the network storage provider 110 and that the additional information may be embodied in any one of a variety of formats.

The network storage provider 110 returns an identification of applicable domains for the network storage provider (unless it has been previously provided) and any additional information to the content provider 104. In turn, the content provider 104 can then process the stored content with content provider specific information. In one example, the content provider 104 translates resource identifiers originally directed toward a domain of the origin server 114 to a domain corresponding to the network storage provider 110. The modified URLs are embedded into requested content in a manner such that DNS queries for the modified URLs are received by a DNS nameserver corresponding to the network storage provider 110 and not a DNS nameserver corresponding to the content provider 104.

Generally, the identification of the resources originally directed to the content provider 104 will be in the form of a resource identifier that can be processed by the client computing device 102, such as through a browser software application. In an illustrative embodiment, the resource identifiers can be in the form of a uniform resource locator (“URL”). Because the resource identifiers are included in the requested content directed to the content provider, the resource identifiers can be referred to generally as the “content provider URL.” For purposes of an illustrative example, the content provider URL can identify a domain of the content provider 104 (e.g., contentprovider.com), a name of the resource to be requested (e.g., “resource.xxx”) and a path where the resource will be found (e.g., “path”). In this illustrative example, the content provider URL has the form of:

-   -   http://www.contentprovider.com/path/resource.xxx

During an illustrative translation process, the content provider URL is modified such that requests for the resources associated with the modified URLs resolve to a POP associated with the network storage provider 110. In one embodiment, the modified URL identifies the domain of the CDN service provider (e.g., “CDNprovider.com”), the same name of the resource to be requested (e.g., “resource.xxx”) and the same path where the resource will be found (e.g., “path”). Additionally, the modified URL can include additional processing information (e.g., “additional information”). Still further, in the event the requested resource is designated as secured content by the content provider 104, the content provider URL will include some type of signature information that will be utilized by the CDN service provider 106 to verify that the request for the resource has been authorized by the content provider 104 (e.g., “signature information”). The modified URL would have the form of:

-   -   http://additional         information.CDNprovider.com/path/resource.xxx?signature_information

In another embodiment, the information associated with the network storage provider 110 is included in the modified URL, such as through prepending or other techniques, such that the modified URL can maintain all of the information associated with the original URL. In this embodiment, the modified URL would have the form of:

-   -   http://additional         information.CDNprovider.com/www.contentprovider.com/path/resource.xxx?signature_information

With reference now to FIG. 3, after completion of the registration and translation processes illustrated in FIG. 2, a client computing device 102 subsequently generates a content request that is received and processed by the content provider 104, such as through the Web server 112. In accordance with an illustrative embodiment, the request for content can be in accordance with common network protocols, such as the hypertext transfer protocol (“HTTP”). Upon receipt of the content request, the content provider 104 identifies the appropriate responsive content. In an illustrative embodiment, the requested content can correspond to a Web page that is displayed on the client computing device 102 via the processing of information, such as hypertext markup language (“HTML”), extensible markup language (“XML”), and the like. The requested content can also include a number of embedded resource identifiers, described above, that corresponds to resource objects that should be obtained by the client computing device 102 as part of the processing of the requested content. In one embodiment, the embedded resource identifiers will generally in the form of the modified URLs, described above. Alternatively, one or more embedded resources may not correspond to secure content. Accordingly, the modified URLs associated with such non-secure content may not include the additional signature information.

Alternatively, the embedded resource identifiers can remain in the form of the content provider URLs that would be received and processed by a DNS nameserver associated with the content provider 104. In this alternative embodiment, the receiving DNS nameserver would use a canonical name record (“CNAME”) that would identify the network storage component 110. Upon receipt of the returned CNAME, the client computing device 102 subsequently transmits a DNS query corresponding to the received CNAME. The client computing device 102 can then process the received CNAME in a manner similar to the modified URLs, described below. For ease of illustration, however, the alternative embodiment will not be described in further detail and the additional processing steps will only be described with regard to the modified URL. One skilled in the relevant will appreciate that the below description may be applicable to CNAMEs as described in the alternative embodiment.

With reference now to FIG. 4A, upon receipt of the requested content, the client computing device 102, such as through a browser software application, begins processing any of the markup code included in the content and attempts to acquire the resources identified by the embedded resource identifiers (e.g., the embedded, modified URLs). Accordingly, the first step in acquiring the content correspond to the issuance, by the client computing device 102 (through its local DNS resolver), a DNS query for the Original URL resource identifier that results in the identification of a DNS nameserver authoritative to the “.” and the “com” portions of the modified URL. After partially resolving the modified URL according to the “.” and “com” portions of the embedded URL, the client computing device 102 then issues another DNS query for the resource URL that results in “.CDNprovider” portion of the embedded, modified URL. The issuance of DNS queries corresponding to the “.” and the “com” portions of a URL, such as the modified URL, are well known and have not been illustrated.

In an illustrative embodiment, the identification of the identification of a DNS nameserver authoritative to the “CDNprovider” corresponds to an IP address of a DNS nameserver associated with the network storage provider 110. In one embodiment, the IP address is a specific network address unique to a DNS nameserver component of a POP. In another embodiment, the IP address can be shared by one or more POPs. In this embodiment, a further DNS query to the shared IP address utilizes a one-to-many network routing schema, such as anycast, such a specific POP will receive the request as a function of network topology. For example, in an anycast implementation, a DNS query issued by a client computing device 102 to a shared IP address will arrive at a DNS nameserver component of the CDN service provider 106 logically having the shortest network topology distance, often referred to as network hops, from the client computing device. The network topology distance does not necessarily correspond to geographic distance. However, in some embodiments, the network topology distance can be inferred to be the shortest network distance between a client computing device 102 and a network storage provider POP. With continued reference to FIG. 4A, once one of the DNS nameservers in the network storage provider 110 receives the request, the specific DNS nameserver attempts to resolve the request.

With reference now to FIG. 4B, upon receipt of the successful resolution of the DNS query to the storage provider component (e.g., a DNS query corresponding to the modified URL http://additional information.CDNprovider.com/path/resource.xxx), the client computing device 102 transmits embedded resource requests to the CDN service provider storage component 120, 126, 132 (FIG. 1) corresponding to the previously provided IP address, illustrated generally as being received by the CDN service provider 106.

Upon receipt, the receiving CDN service provider storage component can process the resource request from the client computing device 102. In a first aspect, if the requested content corresponds to secure content (as designated by the content provider 104), the CDN service provider storage component can first verify whether the embedded resource request from the client computing device 102 includes appropriate signature information. As discussed with regard to FIG. 2A, the content provider 104 can provide the CDN service provider 106 with the necessary signature information for processing client computing device resource requests. Alternatively, the content provider 104 and CDN service provider 106 can be configured to utilized one or more additional network based services, such as secure information verification services 156, to verify signature information included in any embedded resource requests. If the embedded resource request does not include the necessary signature information or if submitted signature information is not valid or expired, the CDN service provider 106 can return an error message or otherwise reject the resource request from the client computing device.

Alternatively, as illustrated in FIG. 4B, if the CDN service provider 106 determines that the submitted signature information is valid and appropriate, the CDN service provider attempts to process the resource requests from resources maintained by the CDN service provider 106 (at one or more POPs 120, 126, 132 (FIG. 1)). If the requested resource is available, the CDN service provider 106 provides the requested resource to the client computing device 102. For example, the requested resource can be transmitted to the requesting client computing device 102 via the communication network 108.

With reference now to FIG. 4C, in an alternative embodiment, assume that the CDN service provider 106 determines that the submitted signature information is valid and appropriate, but the requested resource is not available at the CDN service provider POPs. For example, the client computing device request for the resource may be the first request for such a resource. In another example, the version of the resource maintained by the CDN service provider 106 may no longer be valid (e.g., based on expiration data associated, or otherwise maintained, by the CDN service provider). Because the requested resource is not available, the CDN service provider 106 requests the resource from a designated origin source, such as the network storage provider 110. In an illustrative embodiment, the CDN service provider's resource request includes an identity provided by the content provider 104. Additionally, in an illustrative embodiment, the CDN service provider's resource request includes signature information utilized by the network storage provider 110. Illustratively, the signature information can be different from the signature information provided by the client computing device 102 (FIG. 4B). If the signature information is not valid or incomplete, the network storage service provider 110 can reject the resource request.

Based on the submitted identifier and signature information, the network storage service provider 110 processes the resource requests in accordance with the policies previously set by the content provider 104. For example, the network storage service provider 110 may maintain access control lists (“ACL”) based on identities. The ACLs can define which identities can access a requested resource, criteria associated with authorized access (e.g., time restraints for accessing resources) and various policies that are to be associated with returned resources (e.g., expiration data for the requested resource). One skilled in the relevant art will appreciate that additional or alternative policy information may be utilized by the content provider 104 or network storage provider 110. Still further, in an illustrative embodiment, the content provider 104 may authorize, or otherwise designate as proxies, entities to define modify or maintain policy information. For example, a network storage provider 110 may be authorized by a content provider 104 to modify any policy information associated with one or more CDN service providers 106.

While illustrative embodiments have been disclosed and discussed, one skilled in the relevant art will appreciate that additional or alternative embodiments may be implemented within the spirit and scope of the present disclosure. Additionally, although many embodiments have been indicated as illustrative, one skilled in the relevant art will appreciate that the illustrative embodiments do not need to be combined or implemented together. As such, some illustrative embodiments do not need to be utilized or implemented in accordance with the scope of variations to the present disclosure.

Conditional language, such as, among others, “can,” “could,” “might,” or “may,” unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements or steps. Thus, such conditional language is not generally intended to imply that features, elements or steps are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without user input or prompting, whether these features, elements or steps are included or are to be performed in any particular embodiment. Moreover, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey utilization of the conjunction “or” in enumerating a list of elements does not limit the selection of only a single element and can include the combination of two or more elements.

Any process descriptions, elements, or blocks in the flow diagrams described herein and/or depicted in the attached figures should be understood as potentially representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps in the process. Alternate implementations are included within the scope of the embodiments described herein in which elements or functions may be deleted, executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those skilled in the art. It will further be appreciated that the data and/or components described above may be stored on a computer-readable medium and loaded into memory of the computing device using a drive mechanism associated with a computer-readable medium storing the computer executable components, such as a CD-ROM, DVD-ROM, or network interface. Further, the component and/or data can be included in a single device or distributed in any manner. Accordingly, general purpose computing devices may be configured to implement the processes, algorithms and methodology of the present disclosure with the processing and/or execution of the various data and/or components described above. Alternatively, some or all of the methods described herein may alternatively be embodied in specialized computer hardware. In addition, the components referred to herein may be implemented in hardware, software, firmware or a combination thereof.

It should be emphasized that many variations and modifications may be made to the above-described embodiments, the elements of which are to be understood as being among other acceptable examples. All such modifications and variations are intended to be included herein within the scope of this disclosure and protected by the following claims. 

What is claimed is:
 1. A system for managing content requests comprising: one or more first storage devices including a hardware processor and a memory, the one or more first storage devices configured to: host or process content on behalf of an original content provider; receive a client request for an embedded resource from a client computing device, the client request being associated with an embedded resource identifier and the client request including first signature information originally provided to the client computing device from the original content provider; and provide the embedded resource to the client computing device based on processing the first signature information; and one or more second storage devices including a hardware processor and a memory, the one or more second storage devices configured to: receive a first storage device request for an embedded resource from one of the one or more first storage devices, the first storage device request including second signature information, the second signature information being different from the first signature information; and responsive to the first storage device request, provide the embedded resource to the first storage device based on processing the second signature information, the provision of the embedded resource further in accordance with an access control list identifying one or more entities that are allowed to access the requested resource.
 2. The system as recited in claim 1, wherein the client request includes a DNS query associated with the embedded resource.
 3. The system as recited in claim 1, wherein the second signature information is originally provided by the one or more second storage devices.
 4. The system as recited in claim 1, wherein the access control list is configured by the original content provider.
 5. The system as recited in claim 1, wherein the access control list is configured on behalf of the original content provider.
 6. The system as recited in claim 1, wherein the access control list defines one or more parameters associated with access to the embedded resource by the one or more identified entities.
 7. The system as recited in claim 1, wherein the access control list defines one or more parameters associated with the requested embedded resource.
 8. The system as recited in claim 7, wherein the one or more parameters include expiration data associated with the requested embedded resource.
 9. The system as recited in claim 1, wherein the one or more first storage devices are further configured to verify the first signature information.
 10. The system as recited in claim 1, wherein a secure information verification service verifies the first signature information.
 11. The system as recited in claim 1, wherein the one or more second storage devices are further configured to verify the second signature information.
 12. The system as recited in claim 1, wherein a secure information verification service verifies the second signature information.
 13. A computer-implemented method for managing content requests comprising: hosting or processing content, by a content delivery network (CDN) computing device corresponding to a CDN service provider, on behalf of an original content provider; receiving, by the CDN computing device, a client request for an embedded resource from a client computing device, the client request being associated with an embedded resource identifier and the client request including first signature information originally provided to the client computing device from the original content provider; providing, by the CDN computing device, the embedded resource to the client computing device based on processing the first signature information; receiving, by a network storage computing device, a first storage device request for an embedded resource from one or more first storage devices, the first storage device request including second signature information, the second signature information being different from the first signature information; and responsive to the first storage device request, providing, by the network storage computing device, the embedded resource to the first storage device based on processing the second signature information, the provision of the embedded resource further in accordance with an access control list identifying one or more entities that are allowed to access the requested resource.
 14. The computer-implemented method as recited in claim 13, wherein the second signature information is originally provided by the network storage computing device.
 15. The computer-implemented method as recited in claim 13, wherein the access control list is configured by the original content provider.
 16. The computer-implemented method as recited in claim 13, wherein the access control list defines one or more parameters associated with the requested embedded resource.
 17. The computer-implemented method as recited in claim 16, wherein the one or more parameters include expiration data associated with the requested embedded resource.
 18. The computer-implemented method as recited in claim 13 further comprising verifying, by the CDN computing device, the first signature information.
 19. The computer-implemented method as recited in claim 13 further comprising verifying, by the network storage computing device, the second signature information. 